Abstract
Graphical password is considered as an alternative to traditional textual password, but it also faces many threats such as shoulder-surfing attack. To design and build a more secure and robust graphical password system with the resistance to multiple attacks modalities, especially brute force attack, guessing attack and shoulder-surfing attack, it is important to avoid the credentials being captured in just one step, e.g., by adding several rounds of input. For example, with respect to shoulder-surfing attack resistance, the input design ought to incorporate a certain degree of fault tolerance, with the specific value determined based on the acceptable tolerance range. By integrating this fault tolerance characteristic, the system can effectively withstand shoulder-surfing attacks while preserving the integrity of the authentication procedure. In this work, we learn from the current literature and design a graphical password scheme based on rounded image selection (e.g., three rounds). We provide a detailed scheme design and perform a performance analysis via a user study. Our results indicate that our proposed scheme is viable and gets credit from the participants.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
It means a subset of the observations are selected randomly, and once an observation is selected it cannot be selected again.
- 2.
References
Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, pp. 1–7, USENIX Association (2010)
Biddle, R., Chiasson, S., Van Oorschot, P.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. 44(4), 1–41 (2012)
Chiasson, S., Stobert, E., Forget, A., Biddle, R.: Persuasive cued click-points: design, implementation, and evaluation of a knowledge-based authentication mechanism. IEEE Trans. Dependable Secure Comput. 9(2), 222–235 (2012)
Chakraborty, N., Anand, S.V., Mondal, S.: Towards identifying and preventing behavioral side channel attack on recording attack resilient unaided authentication services. Comput. Secur. 84, 193–205 (2019)
Dirik, A.E., Memon, N., Birget, J.C.: Modeling user choice in the passpoints graphical password scheme. In: Proceedings of the 3rd Symposium on Usable Privacy and Security (SOUPS), New York, NY, USA, pp. 20–28. ACM (2007)
Dhamija, R., Perrig, A.: Deja Vu: a user study using images for authentication. In: Proceedings of the 9th USENIX Security Symposium (2000)
Dunphy, P., Yan, J.: Do background images improve “draw a secret” graphical passwords? In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS), pp. 36–47 (2007)
Gołofit, K.: Click passwords under investigation. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 343–358. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74835-9_23
Jermyn, I., Mayer, A., Monrose, F., Reiter, M.K., Rubin, A.D.: The design and analysis of graphical passwords. In: Proceedings of the 8th Conference on USENIX Security Symposium, pp. 1–14. USENIX Association, Berkeley (1999)
Li, W., Tan, J., Meng, W., Wang, Yu., Li, J.: SwipeVLock: a supervised unlocking mechanism based on swipe behavior on smartphones. In: Chen, X., Huang, X., Zhang, J. (eds.) ML4CS 2019. LNCS, vol. 11806, pp. 140–153. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30619-9_11
Li, W., Tan, J., Meng, W., Wang, Y.: A swipe-based unlocking mechanism with supervised learning on smartphones: design and evaluation. J. Netw. Comput. Appl. 165, 102687 (2020)
Li, W., Meng, W., Furnell, S.: Exploring touch-based behavioral authentication on smartphone email applications in IoT-enabled smart cities. Pattern Recognit. Lett. 144, 35–41 (2021)
Li, W., Wang, Y., Tan, J., Zhu, N.: DCUS: evaluating double-click-based unlocking scheme on smartphones. Mob. Netw. Appl. 27(1), 382–391 (2022)
Li, W., Tan, J., Zhu, N.: Double-X: towards double-cross-based unlock mechanism on smartphones. In: Meng, W., Fischer-Hübner, S., Jensen, C.D. (eds.) SEC 2022. IFIP Advances in Information and Communication Technology, vol. 648, pp. 412-C428. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-06975-8_24
Li, W., Gleerup, T., Tan, J., Wang, Y.: A security enhanced android unlock scheme based on pinch-to-zoom for smart devices. IEEE Trans. Consum. Electron. (2023)
Meng, W.: Graphical authentication. In: Jajodia, S., Samarati, P., Yung, M. (eds.) Encyclopedia of Cryptography, Security and Privacy, pp. 1–4. Springer, Heidelberg (2021). https://doi.org/10.1007/978-3-642-27739-9_1581-1
Meng, Y.: Designing click-draw based graphical password scheme for better authentication. In: Proceedings of the 7th IEEE International Conference on Networking, Architecture, and Storage (NAS), pp. 39–48 (2012)
Meng, Y., Li, W.: Evaluating the effect of tolerance on click-draw based graphical password scheme. In: Chim, T.W., Yuen, T.H. (eds.) ICICS 2012. LNCS, vol. 7618, pp. 349–356. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34129-8_32
Meng, Y., Li, W.: Evaluating the effect of user guidelines on creating click-draw based graphical passwords. In: Proceedings of the 2012 ACM Research in Applied Computation Symposium (RACS), pp. 322–327 (2012)
Meng, Y., Li, W., Kwok, L.-F.: Enhancing click-draw based graphical passwords using multi-touch on mobile phones. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IAICT, vol. 405, pp. 55–68. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39218-4_5
Meng, W., Wong, D.S., Furnell, S., Zhou, J.: Surveying the development of biometric user authentication on mobile phones. IEEE Commun. Surv. Tutor. 17(3), 1268–1293 (2015)
Meng, W.: RouteMap: a route and map based graphical password scheme for better multiple password memory. In: NSS 2015. LNCS, vol. 9408, pp. 147–161. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25645-0_10
Meng, W.: Evaluating the effect of multi-touch behaviours on android unlock patterns. Inf. Comput. Secur. 24(3), 277–287 (2016)
Meng, W., Li, W., Jiang, L., Meng, L.: On multiple password interference of touch screen patterns and text passwords. In: ACM Conference on Human Factors in Computing Systems (CHI 2016), pp. 4818–4822 (2016)
Meng, W., Li, W., Wong, D.S., Zhou, J.: TMGuard: a touch movement-based security mechanism for screen unlock patterns on smartphones. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 629–647. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_34
Meng, W., Lee, W.H., Liu, Z., Su, C., Li, Y.: Evaluating the impact of juice filming charging attack in practical environments. In: Kim, H., Kim, D.-C. (eds.) ICISC 2017. LNCS, vol. 10779, pp. 327–338. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78556-1_18
Meng, W., Fei, F., Li, W., Au, M.H.: Harvesting smartphone privacy through enhanced juice filming charging attacks. In: Nguyen, P., Zhou, J. (eds.) ISC 2017. LNCS, vol. 10599, pp. 291–308. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69659-1_16
Meng, W., Li, W., Kwok, L.-F., Choo, K.-K.R.: Towards enhancing click-draw based graphical passwords using multi-touch behaviours on smartphones. Comput. Secur. 65, 213–229 (2017)
Meng, W., Li, W., Lee, W.H., Jiang, L., Zhou, J.: A pilot study of multiple password interference between text and map-based passwords. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 145–162. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_8
Meng, W., Lee, W.H., Au, M.H., Liu, Z.: Exploring effect of location number on map-based graphical password authentication. In: Pieprzyk, J., Suriadi, S. (eds.) ACISP 2017. LNCS, vol. 10343, pp. 301–313. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59870-3_17
Meng, W., Jiang, L., Wang, Y., Li, J., Zhang, J., Xiang, Y.: JFCGuard: detecting juice filming charging attack via processor usage analysis on smartphones. Comput. Secur. 76, 252–264 (2018)
Meng, W., Zhu, L., Li, W., Han, J., Li, Y.: Enhancing the security of fintech applications with map-based graphical password authentication. Futur. Gener. Comput. Syst. 101, 1018–1027 (2019)
Meng, W., Jiang, L., Choo, K.K.R., Wang, Y., Jiang, C.: Towards detection of juice filming charging attacks via supervised CPU usage analysis on smartphones. Comput. Electr. Eng. 78, 230–241 (2019)
Nelson, D.L., Reed, V.S., Walling, J.R.: Pictorial superiority effect. J. Exp. Psychol.: Hum. Learn. Mem. 2(5), 523–528 (1976)
Nyang, D., et al.: Two-thumbs-up: physical protection for PIN entry secure against recording attacks. Comput. Secur. 78, 1–15 (2018)
Passfaces. http://www.realuser.com/
Shepard, R.N.: Recognition memory for words, sentences, and pictures. J. Verbal Learn. Verbal Behav. 6(1), 156–163 (1967)
Setchi, R., Asikhia, O.K.: Exploring user experience with image schemas, sentiments, and semantics. IEEE Trans. Affect. Comput. 10(2), 182–195 (2019)
Sun, Y., Meng, W., Li, W.: Designing in-air hand gesture-based user authentication system via convex hull. In: Proceedings of The 19th Annual International Conference on Privacy, Security and Trust (PST), pp. 1–5. IEEE (2022)
Suo, X., Zhu, Y., Owen, G.S.: Graphical passwords: a survey. In: Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC), pp. 463–472. IEEE Computer Society, USA (2005)
Sun, H., Chen, Y., Fang, C., Chang, S.: PassMap: a map based graphical-password authentication system. In: Proceedings of AsiaCCS, pp. 99–100 (2012)
Tao, H., Adams, C.: Pass-go: a proposal to improve the usability of graphical passwords. Int. J. Netw. Secur. 2(7), 273–292 (2008)
Wang, L., Meng, W., Li, W.: Towards DTW-based unlock scheme using handwritten graphics on smartphones. In: The 17th International Conference on Mobility, Sensing and Networking (IEEE MSN), pp. 486–493 (2021)
Wiedenbeck, S., Waters, J., Birget, J.-C., Brodskiy, A., Memon, N.: Passpoints: design and longitudinal evaluation of a graphical password system. Int. J. Hum Comput Stud. 63(1–2), 102–127 (2005)
Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2, 25–31 (2004)
Yu, X., Wang, Z., Li, Y., Li, L., Zhu, W.T., Song, L.: EvoPass: evolvable graphical password against shoulder-surfing attacks. Comput. Secur. 70, 179–198 (2017)
Zhou, T., Liu, L., Wang, H., Li, W., Jiang, C.: PassGrid: towards graph-supplemented textual shoulder surfing resistant authentication. In: Meng, W., Furnell, S. (eds.) SocialSec 2019. CCIS, vol. 1095, pp. 251–263. Springer, Singapore (2019). https://doi.org/10.1007/978-981-15-0758-8_19
Acknowledgments
We would like to thank the participants during the user study. This work was partially supported by the Startup Fund from The Hong Kong Polytechnic University.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Qin, X., Li, W. (2023). A Graphical Password Scheme Based on Rounded Image Selection. In: Yung, M., Chen, C., Meng, W. (eds) Science of Cyber Security . SciSec 2023. Lecture Notes in Computer Science, vol 14299. Springer, Cham. https://doi.org/10.1007/978-3-031-45933-7_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-45933-7_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-45932-0
Online ISBN: 978-3-031-45933-7
eBook Packages: Computer ScienceComputer Science (R0)